// CreateProcessAsUserSystem.cpp (Windows NT/2000)
//
// This example will show how you can create a process
// in the context of the user 'SYSTEM'
//
//
// (c)1999 Ashot Oganesyan K, SmartLine, Inc
// mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
#pragma pack(1)
typedef struct
{
BYTE mov_eax;
LPVOID address;
WORD jump_eax;
} ASMJUMP, *PASMJUMP;
BOOL SetPrivileges(HANDLE hprocess, LPTSTR privilege, BOOL bSwitch);
HANDLE hParentProc;
DWORD dwFunc;
// Haked NtCreateProcess
void __declspec(naked)HackedNtCreateProcess()
{
_asm
{
// Change parent process handle
mov eax,hParentProc
mov dword ptr [esp+16],eax
// NtCreateProcess value depends on version
mov eax,dwFunc
// Load parameters table
lea edx,dword ptr [esp+4]
// Call the interrupt
int 2Eh
// return
retn 20h
}
}
void PrintWin32Error( char *message, DWORD error )
{
char *errMsg;
FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL, error,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &errMsg, 0, NULL );
printf("%s: %s\n", message, errMsg );
LocalFree( errMsg );
}
int main(int argc, char* argv[])
{
printf("\nSysProc for Windows NT/2000 FREEWARE\n");
printf("Creates a process in the context of the SYSTEM\n");
printf("(c)2000 SmartLine Inc. http://www.protect-me.com\n\n");
if (argc<2)
{
_tprintf(TEXT("Usage:\n\t sysproc.exe <program name>\n"));
return -1;
}
if (!SetPrivileges((HANDLE)-1,SE_DEBUG_NAME,TRUE))
{
PrintWin32Error("SetPrivileges failed",GetLastError());
return -1;
}
UINT uSysProcId;
switch(LOBYTE(LOWORD(GetVersion())))
{
case 3:
uSysProcId = 0x02;
dwFunc = 0x1E;
break;
case 4:
uSysProcId = 0x02;
dwFunc = 0x1F;
break;
case 5:
uSysProcId = 0x08;
dwFunc = 0x29; // 0x2A - for W2K beta;
break;
}
// Trying to get a handle to the system process
hParentProc = OpenProcess(PROCESS_CREATE_PROCESS,TRUE,uSysProcId);
if (!hParentProc)
{
PrintWin32Error("Could not open system process",GetLastError());
return -1;
}
PASMJUMP NtCreateProcessHook = (PASMJUMP)
GetProcAddress(
GetModuleHandle(TEXT("ntdll.dll")),
"NtCreateProcess");
if (NtCreateProcessHook==NULL)
{
PrintWin32Error("Could not get procedure address",GetLastError());
return -1;
}
// Enable write acess to VM
MEMORY_BASIC_INFORMATION mbi;
VirtualQuery(NtCreateProcessHook,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
DWORD dw;
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,
PAGE_EXECUTE_READWRITE,&dw);
// Redirect call to HackedNtCreateProcess :
//
// mov eax,HackedNtCreateProcess
// jmp eax
NtCreateProcessHook->mov_eax = 0xB8;
NtCreateProcessHook->address = HackedNtCreateProcess;
NtCreateProcessHook->jump_eax = 0xE0FF;
// Call modified CreateProcess
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory(&pi,sizeof (PROCESS_INFORMATION));
ZeroMemory(&si,sizeof (STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
if (!CreateProcess(NULL,argv[1],
NULL, NULL,
FALSE,
0,NULL,NULL,
&si,
&pi))
{
PrintWin32Error("Could not create process",GetLastError());
return -1;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
BOOL SetPrivileges(HANDLE hprocess, LPTSTR privilege, BOOL bSwitch)
{
HANDLE hToken;
LUID DebugValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(hprocess,
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
goto err;
if (!LookupPrivilegeValue((LPTSTR) NULL,
privilege,
&DebugValue))
goto err;
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = DebugValue;
if (bSwitch)
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ENABLED_BY_DEFAULT |
SE_PRIVILEGE_USED_FOR_ACCESS;
else
tkp.Privileges[0].Attributes = NULL;
AdjustTokenPrivileges(hToken,
FALSE,
&tkp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
NULL);
if (GetLastError() != ERROR_SUCCESS)
goto err;
return TRUE;
err:
return FALSE;
}
评论0